This file lists all significant changes made between the Owl 3.1 branch
point (off Owl-current) and the current state of the 3.1-stable branch.

The dates shown in braces indicate when an equivalent change went into
Owl-current, where applicable. Note that although the 3.1 branch point
was created in mid-2014, Owl 3.1 was never released (nor was it intended
to be) and the Owl 3.1-stable branch was only released in January 2015.

Security fixes have a "Severity" specified for the issue(s) being fixed.
The three comma-separated metrics given after "Severity:" are: risk
impact (low, medium, or high), attack vector (local, remote, or
indirect), and whether the attack may be carried out at will (active) or
not (passive). Please note that the specified risk impact is just that,
it is not the overall severity, so other metrics are not factored into
it. For example, a "high" impact "local, passive" issue is generally of
lower overall severity than a "high" impact "remote, active" one - this
is left up to our users to consider given their specific circumstances.

Per our current conventions, a Denial of Service (DoS) vulnerability is
generally considered to have a "low" risk impact (even if it is a
"remote, active" one, which is to be considered separately as it may
make the vulnerability fairly critical under specific circumstances).
Some examples of "medium" impact vulnerabilities would be persistent DoS
(where the DoS effect does not go away with a (sub)system restart), data
loss, bugs enabling non-critical information leaks, cryptographic
signature forgeries, and/or sending of or accepting spoofed/forged
network traffic (where such behavior was unexpected), as long as they
would not directly allow for a "high" impact attack. Finally, a typical
"high" impact vulnerability would allow for privilege escalation such as
ability to execute code as another user ID than the attacker's (a
"local" attack) or without "legitimately" having such an ability (a
"remote" attack).

The metrics specified are generally those for a worst case scenario,
however in certain cases ranges such as "none to low" or/and "local to
remote" may be specified, referring to the defaults vs. a worst case yet
"legitimate" custom configuration. In some complicated cases, multiple
issues or attacks may be dealt with at once. When those differ in their
severity metrics, we use slashes to denote the possible combinations.
For example, "low/none to high, remote/local" means that we've dealt
with issue(s) or attack(s) that are "low, remote" and those that are
"none to high, local". In those tricky cases, we generally try to
clarify the specific issue(s) and their severities in the description.

Don't open the DB_CONFIG file in the current directory. This unexpected
property of db4 could have allowed for local DoS, information leaks, and
privilege escalation via programs using db4, including Postfix.
Reference:
http://www.openwall.com/lists/oss-security/2017/06/15/3

(2017/06/08)
2017/06/29 Package: kernel

Backported upstream reimplementation of restricted hard links,
controllable via the fs.protected_hardlinks sysctl and enabled by
default, similar to what we had as part of CONFIG_HARDEN_LINK in -ow
patches and what grsecurity had as part of CONFIG_GRKERNSEC_LINK. This
reinforces the group crontab vs. root privilege separation in our
package of ISC/Vixie Cron.
Reference:
http://www.openwall.com/lists/oss-security/2017/06/08/3

Merged in Red Hat's CVE-2016-5195 "Dirty COW" fix while also keeping the
mitigation introduced in Owl earlier. In the kernel build for x86-64,
bumped up the maximum number of logical CPUs from 32 to 96, enabled
support for NUMA, huge pages, hugetlbfs, modules for I2C and many
sensors (similar to what's enabled in RHEL) and CPU microcode update.

Updated to 1.0.0t, which fixes the "X509_ATTRIBUTE memory leak"
(CVE-2015-3195) and "Race condition handling PSK identify hint"
(CVE-2015-3196) vulnerabilities. Neither of these affects the uses of
OpenSSL in Owl, but third-party applications using Owl's OpenSSL might
be affected. The "high" impact potential is for the double-free
possibility mentioned in the OpenSSL advisory, even though the OpenSSL
team has rated the corresponding issue as "low" overall severity
(possibly considering its low risk probability, or/and other mitigating
factors). This Owl package update also adds a CA certificate bundle.
Reference:
https://www.openssl.org/news/secadv/20151203.txt